Wiz
Uncover hidden risks

Watch how the Wiz platform can expose unseen risks in your cloud environment without drowning your team in alerts.

All articles

Essential Cloud Security Controls

Learn to navigate the complexities of cloud security, including the knowledge and tools required to build a robust and proactive defense against ever-evolving cyber threats.

Wiz Experts Team
7 min read

What are cloud security controls?

Cloud security controls are a set of measures and best practices to protect your cloud environment from security threats and ensure the confidentiality, integrity, and availability of your data. Cloud security controls are vital mechanisms and strategies to protect data, applications, and infrastructure in cloud computing environments.

Free Cloud Security Risk Assessment

Connect with a Wiz expert for a personal walkthrough of the critical risks in each layer of your environment.

Request My Assessment

Types of cloud security controls

Extending beyond the traditional concept of security barriers, cloud security controls establish a dynamic and resilient ecosystem capable of adapting to emerging threats and challenges. Let's examine the different kinds of clouds security controls, which can be divided into three primary categories:

1. Physical controls

Physical controls might seem archaic in the cloud era, but they are the bedrock of cloud security. These include:

  • Data center security measures: These are the shelters where our cloud data resides. We're talking about fortified structures designed to resist natural and man-made disasters. It's not just about locks and walls; it's about infusing resilience into every aspect of these facilities.

  • Environmental controls and monitoring: These systems ensure optimal conditions within data centers. From temperature control to humidity management, every aspect is meticulously monitored to prevent any ecological anomaly that could jeopardize data.

  • Physical access controls and surveillance: Access to data centers is a privilege, not a right. Biometric scans, security badges, and continuous surveillance are just a few measures to ensure that only authorized personnel can gain access.

2. Technical controls

Here's where we dig into the heart of cloud security—the technical controls:

  • Network security measures: Network security measures include deploying firewalls and intrusion detection systems. The goal is to create a digital fortress with layers of defense that can identify and neutralize threats before they breach the perimeter.

  • Encryption of data at rest and in transit: Data, whether static or on the move, should be enveloped in layers of encryption. With the power of encryption, even if data is intercepted, it remains incomprehensible to unauthorized entities.

  • Identity access management (IAM) solutions: Who has access to what? IAM solutions are gatekeepers, making certain that only the right people have the right access at the right time.

  • Secure configuration and patch management: In the cloud, steadiness is the enemy. Regular updates and patches are vital shields against emerging vulnerabilities.

3. Administrative controls

Administrative controls are the final piece of the puzzle:

  • Security policies and procedures: These are the blueprints of security architecture. Well-crafted policies and procedures are essential means of guiding teams and ensuring a unified security posture.

  • Employee training and awareness programs: Humans can be your most vulnerable point or your primary safeguard. Regular training programs keep teams up to date about the latest threats and encourage everyone to be proactive about maintaining security.

  • Incident response and disaster recovery planning: When breaches occur, response time is critical. A robust incident-response and disaster-recovery strategy can transform a potential catastrophe into a manageable disruption.

  • Regular security audits and assessments: Regular audits and assessments give you peace of mind that your security posture is not just maintained but continuously enhanced.

In the next section, we'll explore specific cloud security frameworks, focusing on how they guide the implementation of cloud security controls.

The Cloud Security Model Cheat Sheet

Cloud development requires a new security workflow to address the unique challenges of the cloud and to effectively protect cloud environments. Explore Wiz’s 4-step cheat sheet for a practical guide to transforming security teams, processes, and tools to support cloud development.

Learn more

Cloud security frameworks in 2024

The latest cloud security frameworks are not just compliance checklists but comprehensive guides that help organizations implement robust cloud security controls. 

Let's explore some of today’s most influential frameworks in greater detail:

MITRE ATT&CK®

The MITRE ATT&CK® framework is a living encyclopedia of threat tactics and techniques. As a knowledge base used for threat modeling and simulation, it provides insights into potential attack paths and effective defenses. In short, MITRE ATT&CK® helps organizations understand the threats to cloud infrastructure and guides them in fortifying their defenses accordingly.

Center for Internet Security (CIS) Controls

The CIS Critical Security Controls offer a set of actionable security practices. They are designed to immediately improve an organization's cyber defense posture. These controls are tailored to address unique cloud risks, providing guidance to organizations as they implement critical security measures.

wiz blog

Wiz: First agentless cloud security vendor to attain CIS SecureSuite Vendor Certification for cloud-managed Kubernetes

Confidently ensure your Kubernetes environments are compliant with CIS Benchmarks for cloud-managed Kubernetes. Quickly generate compliance reports and remediate any issues without hassle.

Read more

CSA’s STAR (Security, Trust, Assurance, and Risk) program

The Cloud Security Alliance's STAR program is a comprehensive suite of certifications and guidelines that help cloud service providers and users assess the security capabilities of cloud services. This framework emphasizes transparency and helps businesses make informed decisions about cloud service providers based on their security posture.

ISO/IEC 27017:2015

This international standard extends the familiar ISO/IEC 27002 standard into the cloud, offering specific guidance on cloud service acquisition, delivery, and operations. The ISO/IEC framework helps organizations align their cloud security practices with globally recognized standards.

Collectively, these frameworks offer a robust foundation for implementing cloud security controls. By adopting them, organizations can ensure that their cloud environments achieve compliance and stay resilient against cyber threats.

Next, let’s dive into the best practices for cloud security, focusing on proactive defense strategies, risk management, compliance, governance, and technology adoption.

Security Leaders Handbook: The Strategic Guide to Cloud Security

Learn the new cloud security operating model and steps towards cloud security maturity. This practical guide helps transform security teams and processes to remove risks and support secure cloud development.

Download Handbook

Best practices for cloud security in 2024 and beyond

1.Proactive defense strategies

Implementing a zero-trust security model

Zero trust is based on the principle of "never trust, always verify." It's a shift from traditional perimeter-based security models to a more holistic approach where trust is never assumed, regardless of whether a request comes from outside the network or from within it. This model significantly reduces the attack surface because each access request is thoroughly vetted.

Implementing zero trust can involve setting up identity access management (IAM) policies that enforce multi-factor authentication (MFA) and conditional access based on user, device, and location. For instance, in AWS, you can use IAM policies to specify permissions and conditions:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:*",
      "Resource": "*",
      "Condition": {"StringEquals": {"aws:MultiFactorAuthPresent": "true"}}
    }
  ]
}

Regularly updating and patching systems

Keeping systems updated is a crucial part of mitigating vulnerabilities. Patch management guarantees the most recent security updates are applied to all software and systems. This practice prevents attackers from exploiting known vulnerabilities, which are often the most accessible entry points into systems. You can automate patch updates in cloud environments using tools like AWS Systems Manager Patch Manager.

Prioritizing risk management

  • Conducting regular risk assessments: Regular risk assessments are essential for identifying potential vulnerabilities in cloud infrastructure. These assessments help prioritize security efforts based on the severity and likelihood of risks. To streamline this process, a Python script can be employed for automated vulnerability scanning in cloud settings, such as utilizing a tool like AWS Inspector:

import boto3

client = boto3.client('inspector')
assessment_targets = client.list_assessment_targets()['assessmentTargetArns']
for target in assessment_targets:
    client.start_assessment_run(assessmentTemplateArn=target)

  • Prioritizing risks based on potential impact: Prioritizing risks is how you make sure that resources are allocated effectively to address the most critical vulnerabilities first, leading to a more resilient cloud environment. Use a cloud controls matrix in tools like Microsoft Excel or Google Sheets to categorize and prioritize risks based on their impact and likelihood.

2. Compliance and governance

Implementing governance frameworks tailored to cloud environments

Cloud governance frameworks provide structured guidelines for managing cloud resources effectively. These frameworks ensure that cloud resources are used in alignment with organizational policies and cloud compliance requirements. You can implement a governance framework using infrastructure-as-code (IaC) tools like Terraform or AWS CloudFormation. For example, use a Terraform script to enforce tagging policies:

resource "aws_resourcegroupstaggingapi_tag_policy" "compliance" {
  policy = <<POLICY
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "tagging:TagResources",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "aws:RequestTag/Project": "prod"
        }
      }
    }
  ]
}
POLICY
}

3. Technology and tool adoption

Leveraging AI and machine learning for enhanced threat detection and response

AI and ML technologies can analyze vast amounts of data to identify patterns and anomalies indicative of security threats. These technologies enable faster and more accurate threat detection and response. It’s straightforward to implement an ML model for anomaly detection using Python and a cloud ML service like AWS SageMaker or Google Cloud AI:

from sklearn.ensemble import IsolationForest
import pandas as pd

# Load dataset
data = pd.read_csv('cloud_traffic_data.csv')

# Train the model
model = IsolationForest()
model.fit(data)

# Detect anomalies
anomalies = model.predict(data)

These best practices, backed by technical implementations, provide the first steps toward strengthening cloud security in 2024 and beyond. In the next section, we’ll look at how you can take your cloud security to the next level.

CNAPP For Dummies

Everything you need to know about cloud-native security

Download now

Wiz's approach to cloud security controls

Wiz is a comprehensive cloud security platform that can help you implement a wide range of cloud security controls with features like:

  • 100 built-in frameworks: Wiz has over 100 built-in frameworks such as CIS, PCI, NIST, HIPAA, and GDPR and automatically assesses your environment against those frameworks so you can quickly understand your compliance posture. The frameworks consist of built-in controls and cloud configuration rules that are mapped to the control lists and recommendations of each framework. Wiz calculates your overall compliance score for each one of the frameworks and creates a heatmap for your overall compliance posture across all frameworks so you can have quick visibility. 

  • Customize frameworks and controls: One size doesn’t fit all, and some organizations have different regulations and standards they must comply with that are unique to them. For unique needs based on your organization’s domain and best practices, you can define a custom compliance framework, where you can pick and choose which controls are needed for your organization to build a framework that reflects best your requirements.

  • Quickly remediate any issues with guidance and automatic remediation: After identifying a failed control in your environment, it's not always clear what the next step is to address the failed checks. For any failed control in your environment, Wiz gives you detailed remediation guidance to quickly respond to any issues. For example, to remediate the rule S3 Bucket should have all 'Block Public Access' settings enabled, Wiz provides the exact API call to make to resolve this issue: 

Ensure compliance across your cloud environments

See how Wiz eliminates the manual effort and complexity of achieving compliance in dynamic and multi-cloud environments.

Get a demo

Continue reading

Credential Stuffing Explained

Wiz Experts Team

Credential stuffing is a type of cyberattack where automated tools are used to repeatedly inject stolen username/password combinations into various services to gain access to legitimate users’ accounts in addition to those that were originally breached.

Container Orchestration

Nicolas Ehrman

Container orchestration involves organizing groups of containers that make up an application, managing their deployment, scaling, networking, and their availability to ensure they're running optimally.

Native Azure Security Tools

Wiz Experts Team

This blog explores the significance of security in Azure environments and provides an overview of native as well as third-party security tools available to improve an organization’s Azure security stance.

Cross-site scripting

Wiz Experts Team

Cross-site scripting (XSS) is a vulnerability where hackers insert malicious scripts inside web applications with the aim of executing them in a user’s browser.